News Links

GDPR and what it means to companies in the Indian Ocean and Africa

#121 - Posted on
23 Oct 2017 - Author: SM - Category: Security

With fines for non-compliance of up to 4% of a company’s annual global turnover or €20 Million (whichever is greater), and applicable regardless of the company’s location (i.e.: Mauritius). GDPR is a regulation that can no longer be ignored from any companies processing personal data of EU Residents (i.e.: travel agencies, hospitality, banking, health care, insurance, etc.).

This article provides key facts as well as some resources to get started on the road to GDPR compliance.

1 - Key facts about GDPR

The EU General Data Protection Regulation (GDPR) is a regulation coming into force on the 25th of May 2018. It is the most important change in data privacy regulation in 20 years and will have an impact on every key component of your organisation to conduct business from your staff and processes to your systems and data.

GDPR was approved by the EU Parliament on the 14th of April 2016;

GDPR comes into effects on the 25th of May 2018 and replaces the EU Data Protection Directive 95/46/EC;

GDPR applies to all companies processing personal data of EU residents regardless of the company’s location;

Fines of up to 4% of a company’s annual global turnover or €20 Million (whichever is greater) for non-compliance;

Data breaches likely to “result in a risk for the rights and freedoms of individuals” must be reported to the relevant authorities within 72h of discovery and to their customers “without undue delay”;

Terms and conditions for consent have been strengthened: They must be affirmative, clear and using plain language;

EU Citizens will have a right to access a copy of any of their personal data free of charge and in an electronic format;

EU Citizens will have a right to be forgotten and for his/her personal data to be erased;

EU Citizens will have a right to data portability and for his/her personal data to be transmitted to another entity;

Privacy by design and by default must be enforced from the onset of designing systems;

Data Protection Officers will have to be appointed by companies processing personal data on a large scale or of special categories of data.

2 - Relevant Definitions

Data controller: An organization that collects data from EU Residents;

Data Processor: An organization that processes data on behalf of data controller;

Data Subject: A person who is an EU resident;

Personal data: “Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” (European Commission).

3 - The route to GDPR compliance

The first step is for your organisation’s top management and key data privacy personnel to understand the GDPR requirements and potential impact.

The second step is to analyse personal data utilisation within your organisation to get clarity on your organisation’s scope for GDPR compliance.

The third step is to conduct a technical and non-technical assessment to identify relevant data privacy design, procedure and control gaps.

Finally, to demonstrate GDPR compliance, organisations need to document, implement and then enforce controls and procedures that meet the principles of Privacy by Design and by Default as per Article 25 of the GDPR.

4 - Going further

ElysiumSecurity Ltd can help your organisation with assessing its data privacy risks and security controls. We can also provide further information on GDPR and tailored compliance assessment kit.
Contact us today for a free consultation at: consulting@elysiumsecurity.com